The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4429 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4429-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Bastien Roucaris     December 31, 2025                             https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : imagemagick     Version        : 8:6.9.11.60+dfsg-1.3+deb11u8     CVE ID         : CVE-2025-65955 CVE-2025-66628 CVE-2025-68469 CVE-2025-68618                      CVE-2025-68950 CVE-2025-69204     Debian Bug     : 1122584 1122827

    Multiple vulnerabilities were fixed in imagemagick a popular image     processing suite.

    CVE-2025-65955

         A vulnerability was found in ImageMagick??s Magick++ layer that         manifests when Options::fontFamily is invoked with an empty         string. Clearing a font family calls RelinquishMagickMemory on
        _drawInfo->font, freeing the font string but leaving _drawInfo->font         pointing to freed memory while _drawInfo->family is set to that         (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font         re-frees or dereferences dangling memory. DestroyDrawInfo and other         setters (Options::font, Image::font) assume _drawInfo->font remains         valid, so destruction or subsequent updates trigger crashes or heap         corruption

    CVE-2025-66628

        The TIM (PSX TIM) image parser contains a critical integer overflow         vulnerability in its ReadTIMImage function (coders/tim.c). The code         reads width and height (16-bit values) from the file header and         calculates image_size = 2 * width * height without checking for         overflow. On 32-bit systems (or where size_t is 32-bit), this         calculation can overflow if width and height are large (e.g., 65535),         wrapping around to a small value

    CVE-2025-68469

        ImageMagick crashes when processing a crafted TIFF file

    CVE-2025-68618

        Magick's failure to limit the depth of SVG file reads caused         a DoS attack.

    CVE-2025-68950

        Magick's failure to limit MVG mutual references forming a loop

    CVE-2025-69204

        Converting a malicious MVG file to SVG caused an integer overflow.

    For Debian 11 bullseye, these problems have been fixed in version     8:6.9.11.60+dfsg-1.3+deb11u8.

    We recommend that you upgrade your imagemagick packages.

    For the detailed security status of imagemagick please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/imagemagick

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian dla-4429 : imagemagick - security update

medium Nessus Plugin ID 281533

Version 1.3

Version 1.2

Version 1.1

Version 1.3 Feb 19, 2026, 12:02 PM CVSS metrics ("CVSSv2 score" set to 5.2) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:L/AC:L/Au:S/C:N/I:P/A:C") CVSS metrics ("CVSSv3 score" set to 6.1) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H") CVSSv2 score source (changed from "CVE-2025-68469" to "CVE-2025-65955") CVSSv2 severity (based on CVE-2025-65955, severity increased from "Low" to "Medium") CVSSv3 severity (based on None, severity increased from "Low" to "Medium") Plugin Feed: 202602191202
Version 1.2 Jan 21, 2026, 5:00 PM IAVM reference Plugin Feed: 202601211700
Version 1.1 Jan 1, 2026, 1:21 AM New Plugin Feed: 202601010121